From 7b86fda0c9b6b9772c20005fb135c95277083f1d Mon Sep 17 00:00:00 2001
From: Oleksandr Byelkin <sanja@mariadb.com>
Date: Sun, 28 Aug 2016 09:44:49 +0200
Subject: Fixed length of codding of COM_MULTI parts.

---
 sql/sql_parse.cc | 37 ++++++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index 8dc34c2dfe2..c76e22a2e57 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -1476,13 +1476,16 @@ uint maria_multi_check(THD *thd, char *packet, uint packet_length)
   DBUG_ENTER("maria_multi_check");
   while (packet_length)
   {
+    char *packet_start= packet;
+    size_t subpacket_length= net_field_length((uchar **)&packet_start);
+    uint length_length= packet_start - packet;
     // length of command + 3 bytes where that length was stored
-    uint subpacket_length= (uint3korr(packet) + 3);
-    DBUG_PRINT("info", ("sub-packet length: %d  command: %x",
-                        subpacket_length, packet[3]));
+    DBUG_PRINT("info", ("sub-packet length: %ld + %d  command: %x",
+                        (ulong)subpacket_length, length_length,
+                        packet_start[3]));
 
-    if (subpacket_length == 3 ||
-        subpacket_length > packet_length)
+    if (subpacket_length == 0 ||
+        (subpacket_length + length_length) > packet_length)
     {
       my_message(ER_UNKNOWN_COM_ERROR, ER_THD(thd, ER_UNKNOWN_COM_ERROR),
                  MYF(0));
@@ -1490,8 +1493,8 @@ uint maria_multi_check(THD *thd, char *packet, uint packet_length)
     }
 
     counter++;
-    packet+= subpacket_length;
-    packet_length-= subpacket_length;
+    packet= packet_start + subpacket_length;
+    packet_length-= (subpacket_length + length_length);
   }
   DBUG_RETURN(counter);
 }
@@ -2231,8 +2234,10 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
       break;
 
     {
+      char *packet_start= packet;
       /* We have to store next length because it will be destroyed by '\0' */
-      uint next_subpacket_length= uint3korr(packet);
+      size_t next_subpacket_length= net_field_length((uchar **)&packet_start);
+      uint next_length_length= packet_start - packet;
       unsigned char *readbuff= net->buff;
 
       if (net_allocate_new_packet(net, thd, MYF(0)))
@@ -2246,13 +2251,19 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
       while (packet_length)
       {
         current_com++;
-        uint subpacket_length= next_subpacket_length + 3;
+        size_t subpacket_length= next_subpacket_length + next_length_length;
+        uint length_length= next_length_length;
         if (subpacket_length < packet_length)
-          next_subpacket_length= uint3korr(packet + subpacket_length);
+        {
+          packet_start= packet + subpacket_length;
+          next_subpacket_length= net_field_length((uchar**)&packet_start);
+          next_length_length= packet_start - (packet + subpacket_length);
+        }
         /* safety like in do_command() */
         packet[subpacket_length]= '\0';
 
-        enum enum_server_command subcommand= fetch_command(thd, (packet + 3));
+        enum enum_server_command subcommand=
+          fetch_command(thd, (packet + length_length));
 
         if (server_command_flags[subcommand] & CF_NO_COM_MULTI)
         {
@@ -2260,8 +2271,8 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
           goto com_multi_end;
         }
 
-        if (dispatch_command(subcommand, thd, packet + (1 + 3),
-                             subpacket_length - (1 + 3), TRUE,
+        if (dispatch_command(subcommand, thd, packet + (1 + length_length),
+                             subpacket_length - (1 + length_length), TRUE,
                              (current_com != counter)))
         {
           DBUG_ASSERT(thd->is_error());
-- 
cgit v1.2.1